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i Topic 

1.1. Risk and Opportunity Register 

2, Issue 

2.1 To provide the Management Board with assurance on the ICO’s 
corporate risk and opportunity register. 

3. Reason for report 

3.1 Management Board review the ICO’s corporate risks and 
opportunities at each meeting as part of its formal risk and 
assurance governance function. 
Background 

4.1 Corporate risks are subject to a full review by the Risk and 
Governance Board on a bi-monthly basis, with the most recent 
review having taken place in April 2021. The Audit Committee also 
reviewed the updated register at its April meeting. 
Overview of updates to the corporate risk register 

5.1 Since the Management Board last met in March 2021, the next 


iteration of the corporate risk review has been completed, where 
all risks on the corporate register are reviewed by risk owners and 
any amendments considered by the Risk and Governance Board. 
As a result of these reviews, the following updates have been 
made to the Corporate Risk Register: 


e R83: Staff wellbeing and welfare: the current score for this 
risk has increased from 12 to 16 to reflect the increased 
challenges in this area due to the ongoing lockdown. 


° R84: Major incident: The gross score has reduced from 25 to 
20, and the net score reduced from 15 to 12, due to the 


532: 


5.3. 


reduced likelihood of a further major incident occurring at the 
present time and to reflect progress in this area since the 
beginning of the pandemic. 


e R85: Managing ICO reputation: the target score has increased 
from 4 to 6, to reflect the external variables which are beyond 
our control. 


o R88: Future role of the ICO: the risk description has been 
rephrased, in line with a request from Management Board. 
This change was reported to the Management Board at its 
meeting in March. 


° R26: Improving Productivity: ownership of this risk has been 
moved from Mike Fitzgerald to Paul Arnold, to reflect that 
actions to mitigate this risk are wider than IT issues, and 
encompass the full scope of the Corporate Strategy and 
Planning Service. Further work will be undertaken to review 
this risk and ensure the different aspects of productivity are 
captured. 


In addition, the following potential updates were identified as 
requiring further work coming out of this iteration of the review: 


° R10: Statutory Codes: the Directors responsible for the 
production and delivery of the various statutory codes will 
meet to review the wording of this risk. This is required as the 
risks are at different stages of development and it is 
necessary to consider whether having a single corporate risk 
is appropriate to manage the risks. The alternative would be 
to divide this risk into multiple risks for each individual Code, 
with these risks being held within Directorate risk registers. 


a R73: Compliance culture: The Audit Committee recently 
conducted a deep dive to gain assurance that appropriate 
measures were in place to ensure that the ICO’s complied with 
all of its statutory duties. This risk will be reviewed in the next 
iteration of the risk review to ensure that it is appropriate 
phrased and scored, following the outcomes of that work. 


The tables below are to inform the Management Board on progress 
against key risks, please note for threats the highest rated are 
highlighted in the highest rated table and for opportunities the 
lowest scoring is highlighted as the scoring mechanism is reversed 
for threats and opportunities. Annex A shows a heat map of the 
threats and opportunities. 


Table 1: Highest Rated Corporate Risks 


Ref | Type Risk Title Rating Direction 

R4 Threat | Capacity and Capability 20 High Static © 
R73 | Threat | Compliance Culture 16 High Static oO 
R46 | Threat | Financial Resilience 16 High Static © 
R83 | Threat | Staff Welfare and Wellbeing 16 High | Increasing T 
R71 | Opp’ty | Online Harms 6 Med Static © 


Table 2: Risk Watch List 


Ref | Type Risk Rating Rating Direction 
R84 | Threat | Major Incident 12 Med Reducing 4 
R10 | Threat | Statutory Codes 12 Med Static Oo 
R61 | Threat | Litigation Resource 12 Med Static © 
R72 | Threat | SMEs 12 Med Static © 
R87 | Threat | International Position 12 Med Static © 
R85 | Threat | Managing ICO Reputation 12 Med Static << 
R90 | Threat | Regulatory Action 12 Med Static © 
R88 | Threat | Future role and structure of 12 Med Static © 

ICO 
R89 | Threat | Compensation 12 Med Static © 
6. | Recommendations 


6.1. Management Board is recommended to note the risk register. 
7. Alignment with values 


7.1. | Reviewing the risk register and ensuring that risks to our corporate 
objectives are being managed helps to ensure we are being 
ambitious and service focused. It also assists in ensure we focus 
our collaboration in areas which have the most value in mitigating 
and managing risk. 


8. Link to the Information Rights Strategic Plan 


8.1. The risk register helps to prioritise and track actions against all the 
IRSP. 


Publication considerations 


9.1. This report can be published internally and externally. The 
corporate risk register is published internally, and externally with 
redactions where appropriate. 


Author: Chris Braithwaite 
Consultees: Jo Butler, Louise Byers 
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Current Scored Risks Key: 

R4: Capacity and Capability (Th) 

R73: Compliance Culture (Th) 

R46: Financial Resilience (Th) 

R84: Major Incident (Th) 

R85: Managing ICO Reputation (Th) 

R90: Regulatory Action (Th) 

R10: Statutory Codes (Th) 

R61: Litigation Resource (Th) 

R88: Future Role and Structure of ICO (Th) 
R83: Staff Wellbeing and Welfare (Th) 
R72: SMEs (Th) 

R87: International Position (Th) 

R89: Compensation (Th) 

R91 Targeted Regulatory Activity (Th) 

R81: Management Board Resilience (Th) 
R26: Improving Productivity (Th) 

R21: Cyber Security (Th) 

R86: Political and Economic Environment (Th) 


03: Expectations Gap (Opp) 
02: Service Excellence (Opp) 
071: Online Harms (Opp) 


